Another Take on the Mobile Security and Fraud Conundrum

A meaningful percentage of transactions still occur via the mobile browser, whether because of missing functionality in the native app, or simply user habit.

Jens Hinrichsen, NuData Security

As “POS system RAM scraping” has predominated the news and become an altogether too-familiar part of the security and fraud lexicon these past few months – much to the obvious dismay of Target, Neiman, Michael’s, and a host of our other retail brethren (ironically as a result of compromised HVAC provider system of all things) – the fact remains that the risk profile of end-user mobile security and fraud continues to accelerate at an alarming rate.

In speaking with a number of executives responsible for the digital channel at leading financial institutions, the word on everybody’s mind is, quite unsurprisingly, “mobile." Already, some financial institutions are seeing tablet and smartphone sessions outnumber those of laptop and desktop sessions. And with organizations continuing to aggressively add additional functionality to native mobile apps – while attempting to secure or harden them from being compromised – a marked level of concern remains for those users with a penchant for using the web browser over that of a native mobile app. A meaningful percentage of sessions and transactions still occur via the mobile browser, whether because of missing functionality in the native app, or simply user habit.

Enterprise, too, are going through a variety of growing pains as the BYOD trend continues to grow. And despite a great deal of progress in mobile data encryption, device management, and mobile access controls, these capabilities are predominantly geared toward protecting employees of the financial organization per se, and not its customers. From an overarching security and fraud perspective, mobile browsing shuffles the deck, rendering many existing investments in securing the digital channel largely ineffective. This is both because of the different nature of threats targeting mobile devices, but also the inability of existing technologies to take a proactive role in mitigating such risk.

Let’s summarize a few of the core issues at play:

1. Current fraud technologies pay a disproportionate level of attention to IP addresses and geo-location information. With cellular networking, however, IP address cannot be uniquely identified – and geo-location is hence difficult to pinpoint – as this information is shared amongst many of the carrier’s customers, across many geographies.

2. Current fraud technologies often measure the riskiness of a session by assessing the device fingerprint, intended to ascertain whether the session is actually emanating from the user’s device. Of the many fingerprinting technologies available, their applicability to mobile browsers breaks down for a variety of reasons:

Many device fingerprinting technologies rely on “persistent storage”, which effectively stores information at the browser level that is then re-evaluated with each subsequent session. The common means to accomplishing this include dropping HTTP cookies, HTML 5 objects, or shared Flash objects. Unfortunately, platforms like Apple iOS/Safari do not accommodate persistent storage, with all sessions effectively appearing to be from a new device.

An alternative to persistent storage is that of statistical recognition: i.e., running client-side scripts that collect information about each endpoint, and then attempt to discern statistically-unique combinations of variables particular to that device. For instance, the combination of screen resolution, display DPI, input language, OS version, presence of ActiveX components, and so on are assessed, and then compared to the general population as a measure of uniqueness. This too falls short in the mobile arena, as many iPhones for example are not sufficiently statistically-dissimilar from one other.

3. The security controls for web sessions emanating from a mobile endpoint are less robust, and as such cybercriminals often impersonate mobile devices – from their desktop – so that fewer safeguards are employed that might otherwise detect malicious behavior.

4. Modern scripted attacks such as Man-in-the-Browser malware operate from the user’s actual device (whether mobile or desktop), and thus evade controls focused on device fingerprinting or geo-location.

5. Mobile devices frequently connect via public Wi-Fi hotspots, hotel networks, or other public access points that inherently impose greater risk. End-users still tend not to pay attention to or even understand SSL or HTTP, and will continue to communicate freely over open, and potentially insecure, connections.

6. Mobile devices are at greater risk of being lost or stolen, allowing potential thieves to use the user’s device to carry out fraudulent transactions.

Ultimately, the next generation of online fraud detection and protection solutions will focus on attributes other than device- or IP-centric elements of the online session, including the profiling of live user behavior across the lifecycle, recognizing automated attacks, as well as collecting forensic information beyond what is necessary simply to fingerprint endpoint devices.